This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3149.NASLDebian DLA-3149-1 : ruby-nokogiri - LTS security update
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.018 Low
EPSS
Percentile
88.1%
The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3149 advisory.
-
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby’s
Kernel.openmethod. Processes are vulnerable only if the undocumented methodNokogiri::CSS::Tokenizer#load_fileis being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
(CVE-2019-5477) -
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. (CVE-2020-26247)
-
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri
< v1.13.4contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri>= 1.13.4. There are no known workarounds for this issue. (CVE-2022-24836)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3149. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(166069);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/12");
script_cve_id("CVE-2019-5477", "CVE-2020-26247", "CVE-2022-24836");
script_name(english:"Debian DLA-3149-1 : ruby-nokogiri - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dla-3149 advisory.
- A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a
subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This
vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by
Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was
addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
(CVE-2019-5477)
- Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In
Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by
Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network,
potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by
Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed
in Nokogiri version 1.11.0.rc4. (CVE-2020-26247)
- Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient
regular expression that is susceptible to excessive backtracking when attempting to detect encoding in
HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for
this issue. (CVE-2022-24836)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802");
# https://security-tracker.debian.org/tracker/source-package/ruby-nokogiri
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a4325c6e");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2022/dla-3149");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-5477");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-26247");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24836");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/ruby-nokogiri");
script_set_attribute(attribute:"solution", value:
"Upgrade the ruby-nokogiri packages.
For Debian 10 buster, these problems have been fixed in version 1.10.0+dfsg1-2+deb10u1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5477");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/16");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ruby-nokogiri");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(10)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'ruby-nokogiri', 'reference': '1.10.0+dfsg1-2+deb10u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (release && prefix && reference) {
if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ruby-nokogiri');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | ruby-nokogiri | p-cpe:/a:debian:debian_linux:ruby-nokogiri |
| debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26247
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836
www.nessus.org/u?a4325c6e
bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802
packages.debian.org/source/buster/ruby-nokogiri
security-tracker.debian.org/tracker/CVE-2019-5477
security-tracker.debian.org/tracker/CVE-2020-26247
security-tracker.debian.org/tracker/CVE-2022-24836
www.debian.org/lts/security/2022/dla-3149
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.018 Low
EPSS
Percentile
88.1%